by Elizabeth Ducie

Created on: September 22, 2009

The simple difference between an internal and an external audit is that the former is something we carry out ourselves within our organisation while the latter is carried out by some-one from outside the organisation. Internal audits are sometimes called first-party audits or self-inspections while external audits are sometimes called second or third party audits, depending on the purpose of the audit and the people carrying it out. Let's look at each one in turn and explore the what, why and how in each case.

Internal (First Party) Audits

A key purpose of an internal audit is hopefully to identify minor problems and errors before they become a major issue or are discovered by a third party.

An internal audit is generally something we do because a law, a regulation or a formal programme requires it. For example, if we have accreditation to a formal Quality System, an internal audit will be a required element. Both ISO 9000 (the family of general quality management standards) and ISO 14000 (the family of environmental quality management standards) require an internal audit to be carried out on a regular basis. The pattern of audits may be defined by the organisation, but the entire quality system must be audited at least once per year.

A second purpose of an internal audit can be to carry out a risk assessment in order to identify potential problems and either eliminate or reduce the risk. Formal systems requiring this type of audit include COSHH (Control of Substances Hazardous to Health) which is mandatory in the UK.

A third purpose of an internal audit can be as a training exercise. One way that we can train our employees about the requirements of our quality system is to involve them in the audit process. They need to learn the requirements in order to check that they are being achieved and can see how they are being implemented in practice.

External (Second Party) Audits

A second party audit is one that is carried out by a non-regulatory auditor. For example, in some industries, especially pharmaceuticals and chemicals, customers and potential customers will often ask to visit a company to ensure they are operating according to a quality system and hence will provide good quality goods. This is particularly important where the customer is part of a highly regulated industry and is likely to be subject to audits and inspections themselves.

These days, it is a fact of life that many companies are subject to mergers or acquisitions. Others need to obtain financing from external bodies either in the form of loans or grants. In all these cases, the investor needs to know that their investment is safe. They will often arrange for a due diligence audit to be carried out during the early stages of the discussions.

External (Third Party Audits)

A third party audit is one that is carried out by a regulatory auditor or inspector. These are a legal requirement in highly regulated industries such as pharmaceuticals and food production. The purpose in this case is to ensure that all regulatory requirements are complied with. This sort of audit is also a requirement for any company accredited to a formal quality system such as ISO 9000 or ISO 14000. IN this case, the purpose is to see that the company has a formal quality system in place and that it is being operated appropriately.

Learn more about this author, Elizabeth Ducie.
Click here to send this author comments or questions.